Hacienda69.github.io

Static Code Analysis - Dani Mañas

Systems for static code analysis to catch more errors in code

Static Code Analysis (SCA) is a method of analyzing source code without executing it. It involves examining the code’s structure, syntax, and other characteristics to identify potential defects, security vulnerabilities, coding mistakes, and adherence to coding standards. The analysis is performed by specialized tools known as Static Code Analyzers or Static Analysis Tools.

key points

NOTE: By using Static Code Analysis, developers and organizations can proactively identify and address potential issues in their codebase, leading to improved software quality, enhanced security, and more maintainable code but Static Code Analysis tools may occasionally generate false positives (warnings for code that is actually correct) or false negatives (missing actual issues). It is important for developers to review the analysis results critically and use their judgment to address the identified issues.

Address sanitizers in C/C++

Address sanitizers are dynamic analysis tools that help catch memory-related bugs and vulnerabilities during program execution. They are part of the GCC and Clang compilers and provide additional runtime checks. Here are two commonly used address sanitizers:

Both ASan and UBSan provide valuable feedback during program execution, making it easier to identify memory-related issues and undefined behavior. They are commonly used alongside static code analysis tools to provide a comprehensive approach to code quality and security.

Example for online: coverity, other tools?

Online Static Code Analysis Tools:

Example for offline: cppcheck, other tools?

Offline Static Code Analysis Tools:

Static Code Analysis info

Code Counter

CPPCheck

###SonarQube